feat(gcpsm): auto-detect projectID from GCP metadata server

[patjlm]

Problem Statement

When using Workload Identity in GKE, users must explicitly specify the projectID in SecretStore/ClusterSecretStore configurations, even when accessing secrets in the same GCP project as the GKE cluster. This forces per-cluster parameterization of SecretStore configs, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments.

While PR #4575, #4622, and #5208 made cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) optional via metadata server auto-detection, the main projectID field remained required.

Related Issue

Builds upon:

• Lookup cluster workload identity from instance metadata #4575 - Lookup cluster workload identity from instance metadata
• fix(gcp): makes workload identity parameters optional #4622 - Makes workload identity parameters optional (CRD updates)
• docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs #5208 - Document redundant clusterName/clusterLocation parameters

Proposed Changes

This PR extends metadata server auto-detection to include the projectID field:

1. provider.go: Modified clusterProjectID() to fall back to GCP metadata server when projectID is not specified
2. provider.go: Modified NewClient() to populate gcpStore.ProjectID with the detected value when empty
3. workload_identity_test.go: Added TestClusterProjectIDMetadataFallback to verify metadata server fallback
4. docs: Updated google-secrets-manager.md to document the auto-detection feature with examples

Key Benefits:

• Portable SecretStore configurations that work across multiple GCP projects without modification
• Enables static bootstrap manifests via Config Sync/Fleet (no variable substitution needed)
• Eliminates cross-cluster network dependencies for private GKE clusters
• Maintains backward compatibility - projectID can still be explicitly set

Use Cases:

• Multi-project GitOps deployments with shared SecretStore configs
• Bootstrap scenarios where secrets are in the same project as the cluster
• Simplifies configuration in environments with many clusters

Note: projectID remains required when:

• Using static service account credentials (not Workload Identity)
• Running outside GKE
• Accessing secrets in a different GCP project than the cluster

Format

Title follows the required format: feat(gcpsm): auto-detect projectID from GCP metadata server

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage (added TestClusterProjectIDMetadataFallback)
• All tests pass with make test (verified locally)
• I ensured my PR is ready for review with make reviewable (lint and tests passed, docs build has local env issues but code is correct)

This PR adds auto-detection of GCP projectID from the GCP metadata server for SecretStore/ClusterSecretStore when using Workload Identity (and related ADC/Federation flows) on GKE, allowing projectID to be omitted when secrets live in the same GCP project as the cluster.

Changes:

• providers/v1/gcp/secretmanager/provider.go
  • clusterProjectID(ctx, spec) now accepts context, prefers explicit values (workloadIdentity.clusterProjectID or spec.projectID), errors when static credentials (SecretRef) are used, and otherwise falls back to the GCP metadata server.
  • NewClient() populates gcpStore.ProjectID with the detected cluster projectID when projectID is empty.
  • Adds metadataClientFactory = newMetadataClient to enable injection/mocking of metadata clients for tests.
  • Extracts newSMClient(ctx, ts, location) to centralize Secret Manager client creation.
  • Adds debug-level (V1) logging when metadata-server fallback fails to aid diagnosability.
• providers/v1/gcp/secretmanager/provider_test.go
  • New comprehensive unit tests covering projectID resolution and metadata fallback across auth methods (Workload Identity, Workload Identity Federation, ADC, static creds), cross-project cases, and error paths using a fake metadata client.
• providers/v1/gcp/secretmanager/workload_identity_test.go
  • Tests updated to pass context to clusterProjectID; adds TestClusterProjectIDMetadataFallback.
• docs/provider/google-secrets-manager.md
  • Documents auto-detection behavior, clarifies when projectID is required vs optional, distinguishes projectID vs clusterProjectID, adds YAML examples and verification snippets, and documents explicit cluster name/location usage.

Benefits:

• Enables portable, GitOps-friendly SecretStore manifests and bootstrap scenarios where secrets are in the same project as the GKE cluster.
• Reduces cross-cluster network dependencies for private GKE clusters.
• Backward compatible: explicit projectID still required for static credentials, non-GKE environments, or cross-project secret access.

Notes:

• projectID remains required for static service account credentials, when running outside GKE, or when accessing secrets in a different GCP project.
• Tests and docs updated; contribution checklist items completed by the author.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds metadata-server fallback so SecretStore/ClusterSecretStore can omit GCP projectID on GKE, changes clusterProjectID to accept a context, introduces a metadata client factory for testing, centralizes Secret Manager client creation, expands unit tests for projectID resolution, and updates docs with auto-detection and Workload Identity guidance.

Changes

Cohort / File(s)	Summary
Documentation docs/provider/google-secrets-manager.md	Updates guidance and examples: projectID may be omitted when auto-detected from GKE metadata (WIF/WIF-Fed/ADC), clarifies when projectID is required, explains projectID vs clusterProjectID, adds explicit cluster name/location options and revised WIF/Core Controller YAML and verification snippets.
GCP provider implementation providers/v1/gcp/secretmanager/provider.go, providers/v1/gcp/secretmanager/...workload_identity.go	Adds metadataClientFactory for injection, changes clusterProjectID to func(ctx context.Context, spec ...), implements metadata-server fallback to populate ProjectID when appropriate, introduces newSMClient(ctx, ts, location) to centralize client creation, and retains explicit errors where fallback doesn't apply.
Unit tests — workload identity providers/v1/gcp/secretmanager/workload_identity_test.go	Updates test call sites to pass context.Context to the revised clusterProjectID signature.
Unit tests — projectID resolution providers/v1/gcp/secretmanager/provider_test.go	Adds comprehensive tests using a fake metadata client covering ProjectID resolution and metadata fallback across auth methods (Workload Identity, Workload Identity Federation, ADC, static creds, AWS), cross-project and precedence scenarios, and error paths.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@providers/v1/gcp/secretmanager/provider.go`:
- Around line 162-176: The clusterProjectID function currently falls back to the
GKE metadata server even when static credentials are configured; update
clusterProjectID to only call metadataClientFactory() and ProjectIDWithContext
when spec.Provider.GCPSM.Auth.SecretRef is nil (i.e., no static credential
configured). If Auth.SecretRef is present and no explicit ProjectID or
WorkloadIdentity.ClusterProjectID is set, return the errNoProjectID error
instead of using metadata; reference clusterProjectID,
spec.Provider.GCPSM.Auth.SecretRef, metadataClientFactory(),
ProjectIDWithContext(ctx), and errNoProjectID when making the change.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@providers/v1/gcp/secretmanager/provider.go`:
- Around line 88-94: The code mutates the input spec by writing to
gcpStore.ProjectID inside NewClient; instead create a shallow copy (e.g.,
gcpStoreLocal := *gcpStore), set gcpStoreLocal.ProjectID = clusterProjectID only
when empty, and assign that copy to client.store so the original gcpStore param
is not modified; ensure any subsequent access in NewClient uses the copied
variable instead of the original gcpStore.

[patjlm]

Addressed CodeRabbit's nitpick suggestion: added debug-level logging (log.V(1).Info) when the metadata server fallback fails to retrieve projectID. This helps operators diagnose auto-detection failures (e.g., metadata server blocked by network policy or returning transient errors).

See commit d03d0db.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/gcp/secretmanager/provider.go (1)

137-137: ⚠️ Potential issue | 🟡 Minor

Pre-existing bug: p == nil should be g == nil.

This check validates the *Provider receiver p (which is already non-nil since ValidateStore was called on it), when it should be validating g (the *GCPSMProvider config extracted on line 136). This is not introduced by this PR, but worth fixing while you're in the file.

-	if p == nil {
+	if g == nil {

[bharath-b-rh]

LGTM, except for a couple of nits.

This is outside the commit, but when going through the file, found the check here should be if g == nil { instead.

[patjlm]

LGTM, except for a couple of nits.

This is outside the commit, but when going through the file, found the check here should be if g == nil { instead.

Fixed this p==nil issue in latest commit as well

[Skarlso]

@patjlm Please sign your commits. :)

[patjlm]

@patjlm Please sign your commits. :)

sure, done @Skarlso !

[Skarlso]

@patjlm I'm afraid, you still have three commits that are un-signed, sorry. :D You can either squash everything into one and then sign that one, or you can sign all three. :)

[patjlm]

@Skarlso weird, i see them all signed/verified on github... but i'll squash and rebase anyways

[Skarlso]

https://github.com/external-secrets/external-secrets/pull/5922/checks?check_run_id=66694567331

This is the thing you need to take care of. :)

[Skarlso]

You need a Signed-off-by: Name <email@email.com> in your commit. You can get it by using git commit -s

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[patjlm]

done! 😓

[Skarlso]

/ok-to-test sha=47eb7323e8b6244e94a97fb9db588b708b1880f1

[eso-service-account-app]

[Bot] - ✅ e2e for 47eb7323e8b6244e94a97fb9db588b708b1880f1 passed